Now I have customers that are setup both ways for different reasons. In many ways, I prefer the ".local" domain internally because then public websites, etc are managed on public DNS only. This would be especially true if you host your Public DNS (which I strongly suggest companies not do), but even then it can be managed. Overall my point is that it is cleaner and simpler to have private.local and public.com separate.
Unfortunately, by having a disjointed namespace, sometimes you will want clients to be redirected back internally when using an external URL...most commonly for Exchange services (Outlook Anywhere, OWA, ActiveSync) though there are other times, such as using SSO on your firewall.
Now, there are many ways to accomplish this re-routing using NAT rules on a router/firewall or hosting a stub zone on private DNS, etc. The simplest way I've devised is to use the firewall as my DNS forwarder and setup the static entries there.
Here's how it works (we'll use Exchange as an example):
- Clients need to resolve email.publicdomain.com which is hosted internally.
- Clients obviously point to internal DNS servers (usually AD servers, but not necessarily) looking for email.publicdomain.com, but they don't host that domain; only email.private.local.
- Those private DNS servers use the Sophtaro firewall as their "forwarder" (could also read as: next DNS hop) and pass the request onto to the firewall.
- The Sophtaro has static entries setup for email.publicdomain.com that point to the internal IP address of the Exchange server (or whatever application needed) and passes that back to the AD server which passes back to the client (that's not EXACTLY how it works, but close enough).
- The client can now use the public URL of https://email.publicdomain.com in their Outlook and iPhones to access the Exchange server whether they're at home or on wireless in or outside of the office (i.e. everywhere) and the URL will always work.
Good Luck.
thanks
ReplyDeleteIt is truly a practical blog to discover some various resource to include my knowledge. Sophos XG Firewall
ReplyDelete